Expert Advice Community

Guest

Is PII Information?

  Quote
Guest
Guest user Created:   Dec 20, 2020 Last commented:   Dec 20, 2020

Is PII Information?

Dear Dejan,

I have a question for you if you can help me on this.

Is customer PII considered as Information in ISO27001:2013 Standard?

If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement?

This question confuses me on allowing exclusions in ISMS

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 20, 2020

1 - Is customer PII considered as Information in ISO 27001:2013 Standard?

Answer: Information is any data with meaning, and ISO 27001 was designed to protect any kind of information, so Customer Personally Identifiable Information (PII) is also considered in its scope.

These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/


This material will also help you regarding ISO 27001:
- ISO 27001 Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/

2 If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement? This question confuses me on allowing exclusions in ISMS

Answer: First is important to note that for most countries the protection of PII is not a contractual obligation, but a legal obligation. For example, we have GDPR in Europe, CCPA in U.S., and LGPD in Brazil.

GDPR and other regulations require a contract between controller and a processor, in cases both when the outsourced processing is done within the country and outside the country.

For further information, see:
- EU GDPR Foundations Course https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Dec 20, 2020

Dec 20, 2020

Suggested Topics